1.2 Deployment Architecture and Components

In a deployment configured for communication using SAML v2 a
service provider and an identity provider must be created within a circle of trust. The circle of trust enables business providers
to easily conduct cross-network transactions for an individual while
protecting the individual's identity. The following sections contain
information on the architecture of the two providers in this deployment.

1.2.1 Identity Provider Deployment

An identity provider specializes in providing authentication
services. As the administrating service for authentication, an identity
provider maintains and manages identity information. It establishes
trust with a service provider in order to exchange user credentials,
enabling single sign-on between the providers. Authentication by an
identity provider is honored by all service providers with whom the
identity provider is partnered. The identity provider domain is idp-example.com. The following image illustrates the identity
provider architecture in this deployment.

Figure 1–1 Identity Provider Deployment Architecture

The identity provider domain in this deployment is idp-example.com. The identity provider application represents a legacy
system which relies on OpenSSO Enterprise to act as a secure gateway through which
identity information can be transferred to another application in
a different domain. This functionality is provided by the Secure Attribute
Exchange feature of OpenSSO Enterprise which uses SAML v2 without having to deal
with federation protocol and processing.

Two instances of OpenSSO Enterprise provide the core functionality.
Each instance is created with a configuration data store. Configuration
data includes information about services, administrative users, realms,
policies, and more. Two instances of Sun Java System Application Server are
installed on the OpenSSO Enterprise host machines into which the OpenSSO Enterprise WAR is then
deployed.

Note –

User data is accessed through a single load balancer deployed
in front of two instances of Sun Java System Directory Server.

Sun Java System Directory Server

Two instances of Directory Server provide storage for user entries
that will be created for testing this deployment. Both instances of Directory Server are
masters that engage in multi-master replication, providing high availability
to the OpenSSO Enterprise layer.

Note –

The command line is used for all Directory Server configurations in
this guide.

Load Balancers

The load balancer hardware and software used for this
deployment is BIG-IP® manufactured by F5 Networks. They are deployed
as follows:

1.2.2 Service Provider Deployment

A service provider offers web-based services to an identity.
This broad category can include portals, retailers, transportation
providers, financial institutions, entertainment companies, libraries,
universities, governmental agencies, and other organizations that
consume identity information for purposes of access. The service provider
domain is sp-example.com. The following image illustrates
the service provider architecture in this deployment.

Figure 1–2 Service Provider Deployment Architecture

The service provider domain in this deployment is sp-example.com. The service provider application represents a legacy system
which relies on OpenSSO Enterprise to act as a secure gateway through which identity
information can be received from the identity provider. This functionality
is provided by the Secure Attribute Exchange feature of OpenSSO Enterprise which
uses SAML v2 without having to deal with federation protocol and
processing.

Two instances of OpenSSO Enterprise provide the core functionality.
Each instance is created with a configuration data store. Configuration
data includes information about services, administrative users, realms,
policies, and more. Two instances of Sun Java System Application Server are
installed on the OpenSSO Enterprise host machines into which the OpenSSO Enterprise WAR is then
deployed.

Note –

User data is accessed through a single load balancer deployed
in front of two instances of Sun Java System Directory Server.

Sun Java System Directory Server

Two instances of Directory Server provide storage for user entries
that will be created for testing this deployment. Both instances of Directory Server are
masters that engage in multi-master replication, providing high availability
to the OpenSSO Enterprise layer.

Note –

The command line is used for all Directory Server configurations in
this guide.

Load Balancers

The load balancer hardware and software used for this
deployment is BIG-IP® manufactured by F5 Networks. They are deployed
as follows:

Policy agents are used to restrict access to hosted
content or applications. The policy agents intercept HTTP requests
from external users and redirect the request to OpenSSO Enterprise for authentication.
Web policy agents protect any resources under the doc root
of the web container. J2EE policy agents protect a variety of hosted
J2EE applications; in this deployment, agentsample is
used. The agents communicate with the OpenSSO Enterprise instances through the
configured load balancer.

Protected Resource Host
Machine

The protected resource host machine contains the content
to which access is restricted. Towards this end, BEA WebLogic Server, Sun Java System Web Server,
and the respective J2EE and web policy agents will be installed. A
sample Java Server Page included with OpenSSO Enterprise will be used to emulate
a legacy application for purposes of demonstrating Secure Attribute
Exchange using SAML v2. The protected resource host machine will
be used in Chapter 14, Testing Attribute Mapping